Woman Hit with $40,000 in Credit Card Fraud After Losing Her Apple Watch

Here’s what happened and how to protect yourself.
Apple Watch Apple Pay Credit: Kaspar Grinvalds / Shutterstock
Text Size
- +

Toggle Dark Mode

In what seems to be another cautionary tale about using secure passcodes, a visitor to Disney World recently encountered tens of thousands of dollars in fraudulent credit card charges after her Apple Watch slipped off her wrist.

According to WDW News Today, a woman visiting Disney World’s EPCOT lost her $1,300 Hermès Edition Apple Watch after it fell through a grated floor on the slow-moving The Seas with Nemo & Friends ride. The guest was reportedly “fidgeting with her Apple Watch” during the ride when it came off her wrist, landing on a pathway below.

Her husband quickly leaped off the ride to try and retrieve the Apple Watch but was cautioned by operators and staff not to disembark from the ride while it was moving. The Disney cast member who spoke with the couple assured them that she could see where the Apple Watch landed and would ensure that it was returned to them at their hotel.

Sadly, that didn’t happen.

After returning to her room, the woman contacted Disney Guest Relations to see if anybody had retrieved the Apple Watch. She was told that no one had turned it in. According to the Orange County Sheriff’s Office report, “the staff advised her that they did not have the watch.”

The woman, whose name is redacted on the police report, noted that she had several credit cards linked to the Apple Watch, presumably with Apple Pay, including an American Express card with an unlimited credit line.

Following the incident, the woman reported receiving “several fraud alerts throughout the course of the day on her Amex card,” which amounted to “approximately $40,000 of fraudulent charges on her card.” The report isn’t clear on how much time elapsed between losing the Apple Watch and the start of the fraud alerts; however, after the alerts came in, the woman shut down the credit cards attached to the missing watch.

Since much of the report is redacted, it’s hard to say precisely what happened. There isn’t even any indication of what the thief managed to spend $40,000 on. Disney World may be an expensive place to visit, but it’s not that expensive.

The report also doesn’t say how American Express handled those fraudulent charges. As a rule, AMEX is more willing to reverse fraudulent charges than most card issuers, and that’s even more true for a customer who would be carrying the level of card that would allow for $40,000 in charges in a very short time period. That’s typically an AMEX Platinum or AMEX Centurion card.

Apple Pay Security on the Apple Watch

However, what’s unusual is the role that the Apple Watch could have played in this scenario.

  1. To set up Apple Pay on the Apple Watch, the owner must have a passcode enabled.
  2. Disabling the passcode on your Apple Watch will automatically remove all payment cards from your Apple Watch.
  3. If Wrist Detection is enabled, your Apple Watch automatically locks as soon as it leaves your wrist.
  4. If you are not wearing your Apple Watch or if Wrist Detection is not enabled, you will need to enter your passcode every time you want to use Apple Pay.

In other words, someone else can’t use Apple Pay from your Apple Watch without either holding your wrist to the payment terminal while you’re wearing it or knowing the Apple Watch passcode.

Unfortunately, as is often the case, the weakest link in this security is the passcode. If the woman was using an easily guessed passcode, or if somebody watched her type it in while she was fiddling with her Apple Watch, then it would be possible for a thief to unlock the Apple Watch and use it with Apple Pay.

Nevertheless, the payment cards stored in Apple Pay on an Apple Watch can only be used for in-person NFC payments. The card number is not available, and the Apple Watch does not provide any ability to make online purchases through Apple Pay. In this case, the thief must have either used the Apple Watch to make in-person purchases at one or more retail locations or charged the transactions through a merchant account belonging to them or an accomplice.

How to Protect Yourself

If you’re using Apple Pay on your Apple Watch, the first thing you should do is to make sure you’re using a secure password.

Like other Apple devices, the Apple Watch only provides a limited number of tries to attempt to guess a passcode, but if you’re using something like “1234” or “1111”, then it’s not going to take too many attempts to hit on it.

  • After five failed passcode attempts, the user will be locked out for one minute before they can try again.
  • After the sixth failed attempt, this increases to 5 minutes.
  • After the seventh failed attempt, there will be a 15-minute delay.
  • After the ninth failed attempt, this goes up to a 60-minute delay for each subsequent attempt.

This means that it will take a would-be thief 35 minutes to try nine possible passcodes. After that, they’ll only be able to attempt another one every hour.

However, you can also set your Apple Watch to erase after ten failed passcode attempts. Here’s how:

  1. On your Apple Watch, open the Settings app.
  2. Scroll down and tap Passcode.
  3. Tap the switch beside Erase Data to toggle it on.

It’s also a good idea to use a longer passcode on your Apple Watch. You’re not limited to using only a four-digit passcode, and naturally, longer passcodes are harder to guess — assuming you’re not using something obvious like your birthday.

Even if a thief could overcome the built-in delays between attempts — and we haven’t heard of anybody successfully doing this on an Apple Watch — it would still take 22 hours to try every possible combination of a six-digit passcode. By comparison, a four-digit passcode could be brute-forced in under 14 minutes.

Here’s how to use a longer passcode on your Apple Watch:

  1. On your Apple Watch, open the Settings app.
  2. Scroll down and tap Passcode.
  3. Toggle the switch beside Simple Passcode.
  4. When prompted, enter your current four-digit passcode.
  5. In the next step, enter your new, longer passcode, making sure to tap the OK button when done.
  6. Re-enter your new passcode and tap OK again.

As long as you have Wrist Detection enabled, a longer passcode shouldn’t be a problem since you don’t have to enter it often. Since so many other Apple Watch features rely on Wrist Detection, there are many good reasons to make sure it’s turned on. Here are a few of the things that require Wrist Detection to be turned on:

  • Unlocking your iPhone with your Apple Watch.
  • Automatically calling for help via Emergency SOS after a fall.
  • Heart rate tracking and notifications.
  • Respiratory rate background measurements.
  • Sleep tracking.
  • Noise measurements and notifications.

Wrist Detection is usually enabled by default, but you can check this by opening the Settings app on your Apple Watch and checking in the Passcode section.

Social Sharing